Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

While Google has encouraged users to enable two-step authentication within Google Apps, to add "an extra layer of security," the U.S. National Institute of Standards and Technology updated it Digital Authentication Guidelines (DAG) July 27 and now reports that two-factor verification over SMS isn't secure and should be banned.

"If the out-of-band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [out-of-band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

NIST does approve, however, of authentication via multifactor (MF) one-time passwords (OTP), where the second authentication factor is biometric, like a fingerprint, or input with an entry pad or interface, as through a USB port.

Further reading

"The one-time password is typically displayed on the device and manually input to the verifier, although direct electronic output from the device as input to a computer is also allowed," the DAG explains. "For example, a one-time password device may display 6 characters at a time. The MF OTP device is something you have, and it may be activated by either something you know or something you are."

The DAG adds that any biometric data derived from a biometric sample "SHALL be immediately erased from storage immediately after an authentication transaction has taken place." (Uppercasing and italics are NIST's.)

An SMS workaround is a solution like Google Prompt, which the company made widely available June 20. Rather than send an SMS with a six-digit code to type in, Prompt sends a push notification that a user simply taps to approve a log-in request. On Android devices, it's integrated into Google Now, and on iOS it's part of Google Search, though users need to download the Google Search app and sign in.

(Google notes that a data connection is required to use Prompt, and Prompt and Security Keys can't be enabled at the same time.)

Google began testing Prompt in December with a limited group of users, saying it wanted to curb phishing and other attacks based on the exploitation of passwords.

In recent years, SMS has been tied to a number of security issues. At the Black Hat Security Conference in 2013, a cryptographer at Security Research Labs used SMS to hack into a phone in just two minutes. And last year, a flaw in Android made nearly a billion phones vulnerable to a virus that could be sent via SMS, whether the recipient opened the message or not.

While there is no legal obligation to follow NIST guidelines, most major companies do.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.